Post on 09-Aug-2020
Introduction
▪20+ years IT Operational experience
▪10 years IT Auditing and Risk Assessment (Oil&Gas & Healthcare)
▪Certified Information Systems Auditor (CISA)
▪Certified Information Security Manager (CISM)
Agenda
▪Learn from Others
▪General Audit Preparation Measures
▪Specific Audit Preparation Activities
▪Meaningful Use (MU)
▪HIPAA
▪HIPAA & MU Audit Process
LEARN FROM OTHERS – HIPAA Pilot Audits
OCR HIPAA PILOT AUDIT PROGRAM
(day2-2_lsanches_ocr-audit.pdf)
LEARN FROM OTHERS – MU Audits
LEARN FROM OTHERS – MU Audits
LEARN FROM OTHERS – MU Audits
LEARN FROM OTHERS – MU Audits
The most common problems identified are
noncompliance with:
1. required data security risk assessment and
2. a lack of adequate documentation to support
some of the responses provided in the
attestations.
GENERAL AUDIT PREPARATION
▪Assume you will be Audited
▪Create a Regulatory Binder
▪Perform a Risk Analysis
▪Develop and Execute a Risk Management Plan
▪Formulate an Audit Response Plan
GENERAL AUDIT PREPARATION
ASSUME YOU WILL BE AUDITED! ▪ Providers can be audited for up to six years after MU Attestation
▪ 22% of audited eligible providers (EPs) failed their first audit
▪ Consequences of Failed MU Audits:
▪ Post-payment audit – Return of incentive payment plus interest
▪ Pre-payment audit – Non-receipt of incentive payment for year
▪ Subsequent audits of the previous and/or later attestation years
▪ Failed HIPAA Audits:
▪ Possible financial penalties as a result of a Reportable Data Breach
▪ OCR imposed monetary penalties, five involved fines of >=$1 million
GENERAL AUDIT PREPARATION
REGULATORY BINDER! ▪ Book of Evidence - each MU Attestation Year and all HIPAA activities
▪ Why do you need a Regulatory Binder?
▪ Who should be responsible for the Regulatory Binder?
▪ What should this binder contain?
▪ When should the Regulatory Binder be created/updated?
▪ Where should the Regulatory Binder be stored?
▪ Perform an independent review of the contents
GENERAL AUDIT PREPARATION
RISK ANALYSIS!
▪ Why should you perform a Risk Analysis?
▪Who should perform the Risk Analysis? ▪ What do you need to document for the Risk Analysis?
▪ When should the Risk Analysis be performed?
▪Where should we look for ePHI?
GENERAL AUDIT PREPARATION – RISK ANALYSIS
Where do we look for ePHI? ▪ EVERYWHERE!
▪ Electronic Health Records (EHR) System
▪ Server in-house or Provider outsourced
▪ System backup media (in-house or outsourced)
▪ Map data flow - Incoming or outgoing ePHI
▪ Secure ePHI at rest and in transit
▪ Devices
▪ Smartphones, Tablets, Laptops
▪ Fax, printer, copier and/or scanner machines with hard drive or other media
▪ Portable media which ePHI can be saved on
GENERAL AUDIT PREPARATION – Risk Analysis
INVENTORY (PREPARATION)
GENERAL AUDIT PREPARATION – RISK ANALYSIS
Who should perform Risk Analysis?
Someone who is,
▪ Independent, experienced and qualified
▪ Knowledgeable on how to document the process
▪ Unbiased for identification of risks to ePHI
▪ Able to formulate a practical and effective action plan to mitigate risk
GENERAL AUDIT PREPARATION – Risk Analysis
SCREENING QUESTIONS
GENERAL AUDIT PREPARATION – Risk Analysis
PEOPLE and PROCESSES
GENERAL AUDIT PREPARATION – Risk Analysis
TECHNOLOGY
GENERAL AUDIT PREPARATION – Risk Analysis
FINDINGS-REMEDIATION
GENERAL AUDIT PREPARATION
RISK MANAGEMENT PLAN!
▪ What is a Risk Management Plan (RMP)?
▪ Why is a RMP necessary?
▪ Who is responsible for the RMP?
▪ When should the RMP be developed/updated?
▪ Where should RMP reside?
▪ How should the RMP be used?
GENERAL AUDIT PREPARATION
▪ Resources – HHS Security Rule Educational Paper Series
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
GENERAL AUDIT PREPARATION
AUDIT RESPONSE PLAN!
▪ Why is an Audit Response Plan (ARP) necessary?
▪ Who is responsible & involved in the ARP?
▪ What are the duties and responsibilities of ARP?
▪ When should the ARP be developed and initiated?
▪ Where should ARP reside?
▪ How should the ARP be used?
SPECIFIC AUDIT PREPARATION
▪MU Audit
▪HIPAA Audit
SPECIFIC AUDIT PREPARATION – MU Audit Prep
▪Program selection and eligibility requirements
▪Ensure EHR certification – Certified Health IT Product List (CHPL)
▪MU Core/Menu Objectives and Measures
▪Numerator/Denominator measures
▪ Yes/No objective response
▪ Exclusion response
SPECIFIC AUDIT PREPARATION – MU Audit Prep
▪ Resources – CMS EHR Supporting Documentation for Audits
SPECIFIC AUDIT PREPARATION – MU Audit Prep
▪ Resources – CMS EHR Supporting Documentation for Audits
SPECIFIC AUDIT PREPARATION – MU Audit Prep
▪ Resources – CMS EHR Supporting Documentation for Audits
SPECIFIC AUDIT PREPARATION – MU Audit Prep
▪ Resources – CMS EHR Supporting Documentation for Audits
SPECIFIC AUDIT PREPARATION – HIPAA Audit Prep
▪OCR HIPAA Audit Pilot Program ▪Phase I (2011 – 2012) ▪Phase II (2015 ?)
▪HIPAA Privacy Rule
▪HIPAA Security Rule ▪Administrative, Physical and Technical safeguards ▪Organizational, Policies & Procedures,
Documentation
▪Omnibus Rule Sept 23, 2013
SPECIFIC AUDIT PREPARATION – HIPAA Audit Prep
▪ HIPAA Security Rule – Organizational, Policies & Procedures, Documentation
▪ Business Associate Contracts or other Arrangements
▪ Policies and Procedures
▪ Documentation
▪ Time Limit
▪Availability
▪Updates
AUDIT PROCESS - MU
AUDIT PROCESS - HIPAA
RECAP - GENERAL AUDIT PREPARATION
▪Assume you will be Audited
▪Create a Regulatory Binder
▪Perform a Risk Analysis
▪Develop and Execute a Risk Management Plan
▪Formulate an Audit Response Plan
WHY SHOULD I DO THIS?
• Income verse Expense
• Heighten assurance, e.g. Insurance Policy
• Ensure receipt of MU stimulus funds
• Evade additional MU audits
• Avoid HIPAA fines and penalties
• Escape damaged professional reputation
CONCLUSION
Questions?
HEALTHCARE COMPLIANCE
Debra Billeaud, CISA, CISM
337.849.6354 Debra@BilleaudTechnology.com Your Healthcare Compliance Resource